What Makes a Critical Vulnerability Critical?

By Larry Seltzer  |  Posted 2008-10-14 Print this article Print

The lack of standards or consistency in the industry makes prioritization difficult for IT. Microsoft's severity ratings are probably on target, but their definitions are obsolete.

Today's Patch Tuesday bulletins announced 11 vulnerabilities: four critical, six important, and one moderate. What do these terms mean?

You see severity ratings most of the time you see a vulnerability disclosure, but there are no hard standards for severity ratings. In fact some vendors-most infamously Apple-don't provide any severity ratings for their vulnerabilities. Not that Apple is a big issue for many enterprises, but the absence of severity ratings makes it difficult to prioritize patches.

Microsoft's definitions for their ratings were last updated November 2002, so they're pretty comfortable with them. Let's look at the definition of Critical: "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action." That's pretty serious stuff. Sounds like Blaster and Code Red. Did four of this month's vulnerabilities really have the potential to result in Internet worms?

I'll go out on a limb and say no, but it depends on what you mean by Internet worm. I think of a program which spreads itself around without users taking any action, like Blaster or Slammer. Microsoft uses the term Critical often when user interaction is required.

Microsoft releases Patch Tuesday fixes with new Exploitability Index. Click here to read more. 

Consider this month's critical update MS08-057 (Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution). This describes three vulnerabilities in Excel that result from opening a potentially malicious document. Only on Windows 2000 is it rated critical, since that version does not, by default, include the functionality of the Office Document Open Confirmation Tool for Office 2000, which forces confirmation for opening documents. This is not what makes an "Internet worm."

In fact, Microsoft has been ignoring its own definition of critical for years, as it should. There haven't been any real Internet worms for Windows in years, and nobody else restricts their definition of "critical" to such dire circumstances. Microsoft's Jeff Jones alludes to these points in a blog on severity ratings systems from last year.

I think for most vendors critical means remote code execution, but not to Microsoft, at least not officially. It's not hard to find Microsoft remote code execution vulnerabilities rated Important, such as MS08-049: Vulnerabilities in Event System Could Allow Remote Code Execution. I think the difference in MS08-049 is that the attacker has to be authenticated, which is a serious limitation in the attack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel